Solved

HS323 through an ASA

Posted on 2011-03-07
12
1,680 Views
Last Modified: 2012-08-14
I have a setup as follows

H323 v codec ----- Cisco 877 -----VPN-----(outside) Cisco ASA 5510 (inside) ------- H323 Gateway.

The problem is that the H323 video coded is not registering with the H323 gateway. Other codes which do not go through the firewall register with the Gateway ok.  The Routing, VPN and Connectivity between the two gateways is fine, they can talk to each other on any port on any protocol.

A packet capture on the 877 shows that the codec is sending out H323 register packets. With a show ipsec sa detail you can see the packets are being encrypted as this is currently the only traffic on the link. On the cisco ASA you can see the packets are being decrypted but then they vanish. A packet capture on the inside interface of the firewall shows no traffic from the video codec.

Full debugging on both the ASA and 877 does not show any errors. I have tried having both inspect option hs323 turned on and off for the ASA on the .

Anyone got any ideas on why this traffic would be blocked?



 
0
Comment
Question by:question01
  • 7
  • 3
  • 2
12 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35062022
0
 
LVL 20

Expert Comment

by:netcmh
ID: 35062078
policy-map global_policy
 class inspection_default
  inspect h323
  inspect sip

Would be all that's required, I think.
0
 
LVL 1

Author Comment

by:question01
ID: 35062124
Yes I have tried it with the following config and without.  

policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
 
Makes no difference.

Does the global_policy definatly apply to traffic coming out of a VPN?
0
 
LVL 1

Author Comment

by:question01
ID: 35062131
Why would I need SIP?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35062180
did you applied the policy the outside interface?
what shows the logs?
0
 
LVL 1

Author Comment

by:question01
ID: 35062297
the global_policy applies to all traffic by default doesn't it?

The only log from the ASA which mentions the codec is

Tear-down local-host outside:10.x.x.x duration: 00:00:00

The 10.x.x.x is the codec. This logs gets created every 10 seconds or so with the duration at 00:00:00
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Author Comment

by:question01
ID: 35062604
Canberra-ASA# show service-policy inspect h323 h225

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
        h245-tunnel-block drops 0 connection

Interface outside:
  Service-policy: pmap
    Class-map: cmap
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
        h245-tunnel-block drops 0 connection
Canberra-ASA# show service-policy inspect h323 ras

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
        h245-tunnel-block drops 0 connection

Interface outside:
  Service-policy: pmap
    Class-map: cmap
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
        h245-tunnel-block drops 0 connection
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35066334
it shows that the inspection not recognized the h323 packets...
0
 
LVL 1

Author Comment

by:question01
ID: 35075006
yes it looks that way. So why would it not be inspecting the h323 packets?

does the global policy apply to traffic coming out of a vpn?

0
 
LVL 1

Accepted Solution

by:
question01 earned 0 total points
ID: 35089993
After a reboot of the firewall problem is resolved. Not sure what was causing the problem but the VPN was playing up with some strange errors.

0
 
LVL 1

Author Closing Comment

by:question01
ID: 35126460
reboot fixed it.
0
 
LVL 20

Expert Comment

by:netcmh
ID: 35129291
glad you got that resolved.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VLAN Tagged traffic 2 35
stacking switches 2 45
Clearing router cache 12 41
Cisco Router help 5 51
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now